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REMARKS 

Favorable consideration of this application, as presently amended and in light of the 
following discussion, is respectfully requested. 

Claims 1-22 are pending in the application, with Claims 1,19, and 21 amended by the 
present amendment. 

In the Official Action, Claims 1-22 were rejected under 35 U.S.C. § 103(a) as being 
unpatentable over Caronni (U.S. Patent No. 6,507,908) in view of Inoue et al. (U.S. Patent 
No. 6,170,057, hereinafter Inoue ). 

Claims 1,19 and 21 are amended to clarify features therein. One claimed feature 
resides in obtaining decrypted data by decrypting the encrypted data by utilizing the 
information regarding the security association and checking a destination address included in 
a header of the decrypted data at a time of relaying the communications with guaranteed data 
secrecy between the first terminal device and the second terminal device. Support for this 
amendment is found in Applicants' originally filed specification. No new matter is added. 

Briefly recapitulating, Claim 1 is directed to a gateway device for carrying out a data 
relaying at a transport or upper layer between a first terminal device and a second terminal 
device which are capable of carrying out communication through networks with data secrecy 
based on a security association set up therebetween. The gateway device includes a security 
information management unit configured to obtain and manage information regarding the 
security association. The gateway device also includes a data receiving unit configured to 
receive encrypted data from the first terminal device or the second terminal device. The 
gateway device also includes a data decryption unit configured to obtain decrypted data by 
decrypting the encrypted data by using the information regarding the security association and 
to check a destination address included in a header of the decrypted data at a time of relaying 
the communications with data secrecy between the first terminal device and the second 
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terminal device. The gateway device also includes a data relay unit configured to carry out 
the data relaying at the transport or upper layer according to the decrypted data. The gateway 
device also includes a data encryption unit configured to encrypt data to be transmitted from 
the gateway device by using the information regarding the security association with no new 
destination address being attached to the data to be transmitted . The gateway device also 
includes a data transmitting unit configured to transmit the encrypted data by the data 
encryption unit to the second terminal device or the first terminal device, respectively. 

As described in Applicants' specification, one object of the present invention is to 
effectively combine a method for providing security such as IPSec and a device, such as a 
TCP-GW, and a Snoop proxy particularly provided between wired side terminal devices and 
wireless side terminal devices, for improving performance of TCP. Thus, the gateway is 
located between a first terminal device and a second terminal device. The first and second 
terminal devices are in security association with each other and thus carry out 
communications with each other with data secrecy based on the security association. The 
gateway obtains information regarding the security association from somewhere. This is 
because the gateway itself does not have a function to secure secret communications between 
the first device and the second device. The gateway is provided as a proxy device for 
improving performance of TCP. 

Thus, the gateway of Claims 1,19 and 21 decrypts encrypted data received from the 
first terminal device or the second terminal device according to the information regarding the 
security association . Next, the gateway according to the present invention carries out a data 
relaying at a transport or upper layer according to the decrypted data . The gateway encrypts 
data to be transmitted, according to the information regarding the security association . 

Caronni describes a method for secure data communications with a mobile machine in 
which a data packet is received from the mobile machine having a particular network address. 
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A pool of secure addresses is established and a data structure is created to hold address 
translation associations. Each association is between a particular network address and a 
particular one of the secure addresses. If the received data packet is a secure data packet an 
association between the received data packets network address and a secure address in the 
data structure is identified and the data packets network address is translated to the associated 
secure address before forwarding the data packet onto higher network protocol layers. When 
the received data packet is not secure it is passed on without address translation to the higher 
network protocol layers. For outgoing packets addressed to a secure address, the secure 
address is translated to a real network address and the packet payload is encrypted. Outgoing 
packets that are addressed directly to the real network addresses are passed through in a 
conventional manner. 1 

However, as acknowledged in the Official Action, while Caronni decrypts data from 
an external device, Caronni does not decrypt the data according to the information regarding 
the security association. 

Inoue describes a mobile computer and a packet encryption and an authentication 
method which are capable of controlling an activation of a packet encryption and 
authentication device belonging to the mobile computer according to the security policy at 
the visited network of the mobile computer. The mobile computer is provided with a packet 
encryption and authentication unit having an on/off switchable functional for applying an 
encryption and authentication processing on input/output packets of the mobile computer. 
One of the packet encryption authentication unit and an external packet processing device is 
selectively controlled to carry out the encryption and authentication processing on the 
input/output packets, where the external packet processing device being provided in a visited 
network at which the mobile computer is located and having a function for relaying packets 

1 Caronni Abstract. 
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transferred between a computer located in the network and a computer located in another 
network by applying the encryption and authentication processing. 2 

However, contrary to the Official Action, like Caronni , Inoue fails to disclose or 
suggest the feature that "a gateway re-encrypts the decrypted packets obtained from 
decrypting the received packets before sending them to a destination device". That is, Inoue 
fails to disclose or suggest a gateway that receives encrypted packets and then decrypts the 
encrypted packets and then re-encrypts the decrypted packets and then sends this encrypted 
packets. 

Column 2, lines 42-49 in Inoue merely describes "gateway 4a (where the packet is 
decrypted) home agent (HA) 4 - getaway 4a (where the packet is encrypted again)". 
Sending and receiving a packet between the decryption and encryption is quite different from 
decrypting a packet, using the decrypted packet and then re-encrypting the packet. 

Column 5, lines 30-42 in Inoue merely describes that "the data routing control with 
respect to the mobile computer 2 is carried out by encapsulating an IP packet destined to an 
original address (an address in a home network la) of the mobile computer 2 within a packet 
destined to a current location address of the mobile computer 2". Furthermore, column 5, 
lines 43-50 in Inoue merely describes that "each gateway has a packet encryption and 
authentication processing function". Each of these portions of Inoue fail to disclose or 
suggest that a gateway re-encrypts the decrypted packets (obtained from decrypting the 
received packets) before sending them to a destination device. 

Column 7, lines 55-65 in Inoue merely discloses that "the gateway 6 applies the 
encryption and authentication processing to both the packet that is received from the Internet 
6 and is sent to the mobile station 2 and the packet that is received from the mobile station 2 
and is sent to the Internet 6". This portion of Inoue also fails to disclose or suggest "a 

2 Inoue . Abstract. 
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gateway re-encrypts the decrypted packets obtained from decrypting the received packets 
before sending them to a destination device". 

Furthermore, Inoue fails to disclose or suggest "data decryption unit configured to 
obtain decrypted data by decrypting the encrypted data by using the information regarding 
the security association and to check a destination address included in a header of the 
decrypted data at a time of relaying the communications with data secrecy between the first 
terminal device and the second terminal device" as recited in Applicants' amended Claims 1, 
19 and 21. 

The Advisory Action states Inoue discloses a gateway system with a data packet 
relaying function that decrypts the received encrypted data packets and re-encrypts the same 
data packets before transmitting them to their destination (col. 2, lines 42-49 and col. 5, lines 
30-42). However, as apparent from col. 2, lines 42-49 in Inoue , such a function is carried out 
by a plurality of gateways (4c, 4a) and via another device (home agent (HA)). In contrast, one 
gateway carries out such a function according to the present invention. However, Claims 1, 
19 and 21 include the limitation " the gateway does not attach a new destination address to 
data to be transmitted before encrypting the data " (emphasis added) to clearly point out that 
one gateway decrypts received data and then encrypts the decrypted data. 

Furthermore, Applicants continue to traverse the finding that Caronni describes a 
security association between first and second devices. That is, in Caronni , only an internal 
secure network is secured from an external terminal such as a mobile device. The gateway 
recited in Applicants' claims decrypts encrypted data received from the first terminal device 
or the second terminal device according to the information regarding the security association . 
In addition, the gateway recited in Applicants' independent claims relays data at a transport 
or upper layer according to the decrypted data . Caronni falls to disclose or suggest any data 
relaying operation, let alone Applicants' recited relay at a transport or upper layer according 
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to the decrypted data . By relaying at a transport or upper layer according to the decrypted 
data, the claimed invention is provided as a proxy device for improving performance of TCP, 
whereas the gateway in Caronni merely maintains access control lists (ACLs) to prevent 
unauthorized devices from accessing the secure network. Similarly, Caronni does not encrypt 
the data according to the information regarding the security association . Inoue fails to cure 
the deficiencies of Caronni . 

Applicants' Claims 10, 20 and 22 recite an authentication function to attach 
authentication information to data to be transmitted to the second terminal device or the first 
terminal device according to the information regarding the security association . Caronni fails 
to disclose or suggest such an authentication operation. Inoue fails to cure the deficiencies of 
Caronni . 

MPEP §706.02(j) notes that to establish a prima facie case of obviousness, three basic 
criteria must be met. First, there must be some suggestion or motivation, either in the 
references themselves or in the knowledge generally available to one of ordinary skill in the 
art, to modify the reference or to combine reference teachings. Second, there must be a 
reasonable expectation of success. Finally, the prior art reference (or references when 
combined) must teach or suggest all the claim limitations. Also, the teaching or suggestion to 
make the claimed combination and the reasonable expectation of success must both be found 
in the prior art and not based on applicant's disclosure. In re Vaeck, 947 F.2d 488, 20 
USPQ2d 1438 (Fed. Cir. 1991). Without addressing the first two prongs of the test of 
obviousness, Applicants submit that the Official Action does not present a prima facie case of 
obviousness because both Caronni and Inoue fail to disclose all the features of Applicants' 
claimed invention. 
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Accordingly, in view of the present amendment and in light of the previous 

discussion, Applicants respectfully submit that the present application is in condition for 

allowance and respectfully request an early and favorable action that that effect. 

Respectfully submitted, 

OBLON, SPIVAK, McCLELLAND, 
MAIER & NEUSTADT, P.C. 
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